Playing ‘Pokemon Go’ Is Potentially a Huge Security Risk If You’re Using Your Google Account on iOS [Update: Will be fixed soon.]

While we’ve already established that Pokemon Go(Free) is on track to be bigger than sliced bread, not everything is as awesome as it seems in the land of Pokemon. As discovered by Adam Reeve, principal architect of the security firm RedOwl, if you’re playing Pokemon Go via logging in through your Google Account, you’re potentially giving Niantic and Pokemon Go access to everything on your Google account. What can you do with full access to a Google account? Well, as Reeve points out:

Let me be clear – Pokemon Go and Niantic can now:

Read all your email

Send email as you

Access all your Google drive documents (including deleting them)

Look at your search history and your Maps navigation history

Access any private photos you may store in Google Photos

And a whole lot more

Sure enough, I double checked my own Google Account, and Pokemon Go has full access to everything. Oddly enough, Niantic’s other game, Ingress(Free), which also uses your Google account only requests permission to basic account info:

The other option for playing on iOS is by using a Club Pokemon account, but it seems the whole Club Pokemon system has been offline ever since Pokemon Go got slammed so hard. Also, there doesn’t appear to be any way to transition from a Google account to a Club Pokemon account, as your progress is locked to your account. Right now, this is all feeling kind of gross as Google really ties you into their ecosystem and I really, really don’t like the idea that Pokemon Go has access to send email as me.

If you want to check what access Pokemon Go and other apps connected to your Google account have, click here, log in, and then go to the connected apps & sites link. Also, while you’re in there, it’s a good idea to revoke access to stuff you’re not using anymore. We’re going to keep a close eye on this, so stay tuned for updates on how this all ends up unfolding.

Update: Unsurprisingly, it turns out this was just an error on Niantic’s part. The Verge received the following statement from them:

“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."